b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                 Taxpayer Data Used at Contractor Facilities\n                      May Be at Risk for Unauthorized\n                           Access or Disclosure\n\n\n\n                                           May 18, 2010\n\n                              Reference Number: 2010-20-051\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                 HIGHLIGHTS\n\n\nTAXPAYER DATA USED AT                                process for identifying the contractors\nCONTRACTOR FACILITIES MAY BE AT                      receiving IRS taxpayer data, the IRS cannot\nRISK FOR UNAUTHORIZED ACCESS OR                      ensure that all contractors who receive such\nDISCLOSURE                                           data are being reviewed for compliance with\n                                                     security requirements. As a result, the IRS\n                                                     cannot ensure that taxpayer data are\nHighlights                                           protected at contractor facilities.\n                                                     TIGTA also found that security weaknesses\nFinal Report issued on May 18, 2010                  identified by the ISR office team at\n                                                     contractor facilities were not timely\nHighlights of Reference Number: 2010-20-051          corrected. Our review of eight contractors\nto the Internal Revenue Service Chief                visited by the ISR office during Fiscal\nTechnology Officer and Chief, Agency-Wide            Year 2009 found that the ISR office identified\nShared Services.                                     security weaknesses at all eight contractor\n                                                     facilities. However, the IRS was unable to\nIMPACT ON TAXPAYERS                                  provide monitoring documents for seven of\nThe Internal Revenue Service (IRS) provides its      the eight contractors. These weaknesses\ntaxpayer data to contractors who store and           included access control, configuration\nprocess the data at their own facilities in          management control, and system integrity\nsupport of the IRS\xe2\x80\x99 mission of tax                   control issues. Without adequate oversight\nadministration. The IRS did not have effective       to monitor and confirm that security\nprocesses to identify all contractors with IRS       weaknesses are corrected at contractor\ntaxpayer data that require annual security           facilities, security weaknesses will persist\nreviews by the IRS and did not ensure                and taxpayer data will remain at risk of\ncomputer security weaknesses identified at           unauthorized access and disclosure.\ncontractor facilities during security reviews have   WHAT TIGTA RECOMMENDED\nbeen corrected. As a result, taxpayer data may\nbe at risk for unauthorized access or disclosure.    TIGTA recommended that the IRS identify the\n                                                     information system that can serve as the primary\nWHY TIGTA DID THE AUDIT                              source for identifying contractors requiring\nThis audit was initiated as part of our statutory    reviews. The IRS should also ensure that\nrequirements to annually review the adequacy         appropriate indicators are captured on each\nand security of IRS information technology. The      existing contract with a disclosure and privacy\noverall objective of this review was to determine    impact, validate whether the IRS business\nwhether the IRS had effective controls in place      organization provided any IRS taxpayer data to\nto ensure IRS taxpayer data are protected at         these contractors, and provide the appropriate\ncontractor facilities.                               notification and guidance to the responsible IRS\n                                                     business organizations to execute annual\nWHAT TIGTA FOUND                                     security reviews of contractors when required.\n                                                     In addition, the IRS should validate correction of\nCurrent processes were not effective at              reported security weaknesses and recommend a\nidentifying all contractors who receive IRS          process for reporting weaknesses that remain\ntaxpayer data and are subject to required            unmitigated to increase the accountability of the\nsecurity reviews. The Infrastructure Security        responsible parties for remediation of security\nand Reviews (ISR) office identified                  weaknesses.\ncontractors that require reviews by asking\nIRS business organizations to identify their         In their response to the report, IRS management\ncontractors that process, store, or house IRS        agreed with our recommendations and plans to\ntaxpayer data. However, this process did             take appropriate corrective actions.\nnot identify all contractors who have been\nprovided such data. Without an effective\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                            May 18, 2010\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n                CHIEF, AGENCY-WIDE SHARED SERVICES\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Taxpayer Data Used at Contractor Facilities May\n                             Be at Risk for Unauthorized Access or Disclosure (Audit # 200920005)\n\n This report presents the results of our review of determine whether the Internal Revenue Service\n (IRS) had effective controls in place to ensure IRS taxpayer data are protected at contractor\n facilities. This audit was included in the Treasury Inspector General for Tax Administration\n Fiscal Year 2010 Annual Audit Plan and addresses the major management challenge of Security\n at the IRS and was part of our statutory requirement to annually review the adequacy and\n security of IRS information technology.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix V.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. Please contact me at (202) 622-6510 if you have questions or Alan Duncan,\n Assistant Inspector General for Audit (Security and Information Technology Services), at\n (202) 622-5894.\n\x0c                                  Taxpayer Data Used at Contractor Facilities\n                              May Be at Risk for Unauthorized Access or Disclosure\n\n\n\n\n                                            Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 2\n          The Internal Revenue Service Did Not Have an Effective Process\n          for Identifying All Contractors Who Have Been Provided\n          Taxpayer Data and Require Computer Security Reviews ............................Page 2\n                    Recommendation 1:..........................................................Page 3\n\n                    Recommendation 2:..........................................................Page 4\n\n          The Internal Revenue Service Did Not Ensure Computer\n          Security Weaknesses Identified at Contractor Facilities\n          Are Timely Corrected ...................................................................................Page 4\n                    Recommendations 3 and 4: ................................................Page 6\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 7\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 9\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 10\n          Appendix IV \xe2\x80\x93 Listing of Contractors Selected for Review.........................Page 11\n          Appendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report .......................Page 12\n\x0c            Taxpayer Data Used at Contractor Facilities\n        May Be at Risk for Unauthorized Access or Disclosure\n\n\n\n\n                   Abbreviations\n\nFISMA        Federal Information Security Management Act\nIRS          Internal Revenue Service\nISR          Infrastructure Security and Reviews\nNIST         National Institute of Standards and Technology\nPOA&M        Plan of Action and Milestones\n\x0c                                Taxpayer Data Used at Contractor Facilities\n                            May Be at Risk for Unauthorized Access or Disclosure\n\n\n\n\n                                              Background\n\nIn its Fiscal Year 2001 summary report to Congress, the Office of Management and Budget\nidentified the security of contractor-provided services as a Government-wide challenge to\ninformation technology security. When the Federal Information Security Management Act\n(FISMA) 1 was enacted a year later, provisions and guidelines were promulgated to ensure the\neffectiveness of information security controls supporting Federal operations and assets by\ncontractors.\nThe Internal Revenue Service (IRS) uses contractors to help achieve its mission to administer the\nnation\xe2\x80\x99s Federal tax system. Many of these contractors are provided IRS taxpayer data for use at\ncontractor facilities outside of IRS offices. Others contractors operate information systems at\ncontractor facilities on behalf of the IRS that provide access to the IRS network. Like\nIRS-managed computer systems, contractors must comply with security control requirements\nissued by the National Institute of Standards and Technology (NIST) for protecting IRS data.\nThe IRS is ultimately responsible for ensuring security controls at contractor facilities are in\nplace and operating effectively.\nSpecifically within the IRS, the Infrastructure Security and Reviews (ISR) office of the\nModernization and Information Technology Services organization Cybersecurity function is\nresponsible for reviewing controls of contractors who receive IRS taxpayer data for use or\noperate information systems on behalf of the IRS at contractor facilities to ensure security\nrequirements have been implemented. The ISR office schedules and conducts reviews of these\ncontractors on an annual basis, using the methodology defined in NIST Special Publication\n800-53, Recommended Security Controls for Federal Information Systems and NIST Special\nPublication 800-53A, Guide for Assessing Controls in Federal Information Systems.\nThis review was performed at the Modernization and Information Technology Services\norganization Headquarters in New Carrollton, Maryland, and at one contractor facility in\nSterling, Virginia, during the period June 2009 through January 2010. We conducted this\nperformance audit in accordance with generally accepted government auditing standards. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objective. We\nbelieve that the evidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objective. Detailed information on our audit objective, scope, and\nmethodology is presented in Appendix I. Major contributors to the report are listed in\nAppendix II.\n\n\n\n1\n    E-Government Act of 2002, Pub. L. No. 107-347, Title III, 116 Stat. 2946.\n                                                                                            Page 1\n\x0c                                 Taxpayer Data Used at Contractor Facilities\n                             May Be at Risk for Unauthorized Access or Disclosure\n\n\n\n\n                                         Results of Review\n\nDuring Fiscal Years 2008 and 2009, the ISR office visited 12 and 57 contractors, respectively, to\nevaluate the security of IRS taxpayer information at the contractor facilities. Based on our\nreview of eight contractors 2 visited by the ISR office during Fiscal Year 2009, we found that the\nISR office conducted effective contractor reviews in accordance with NIST Special Publication\n800-53, Recommended Security Controls for Federal Information Systems, for specifying\nrequired security controls and NIST Special Publication 800-53A, Guide for Assessing the\nSecurity Controls for Federal Information Systems, for assessing the security controls\xe2\x80\x99\neffectiveness. For the 12 contractors reviewed during Fiscal Year 2008, the ISR office identified\n133 security weaknesses and for the 57 contractors reviewed during Fiscal Year 2009, the ISR\noffice identified 268 security weaknesses in the same major control areas. These 401 security\nweaknesses related to all 17 NIST Special Publication 800-53 control families, including\ncontingency planning (39 weaknesses), configuration management (37 weaknesses), risk\nassessments (32 weaknesses), and access controls (31 weaknesses).\nHowever, the IRS did not have effective processes to identify all contractors with IRS taxpayer\ndata that require annual security reviews by the IRS and did not ensure computer security\nweaknesses identified at contractor facilities during security reviews are timely corrected. In\norder to ensure IRS data are secured at all contractor facilities, the IRS needs to improve its\ncurrent processes and controls to identify all contractors who process, manage, or store IRS\ntaxpayer data at contractor facilities and to ensure timely corrective actions are taken on\ncomputer security weaknesses identified at contractor facilities.\n\nThe Internal Revenue Service Did Not Have an Effective Process for\nIdentifying All Contractors Who Have Been Provided Taxpayer Data\nand Require Computer Security Reviews\nThe ISR office is required to conduct annual security reviews of contractors who possess or have\ndirect access to IRS information or operate information systems on behalf of the IRS at\ncontractor facilities to ensure security requirements have been implemented. The purpose of\nthese security reviews is to ensure contractors are complying with IRS security policies and\nprocedures, and protecting taxpayer information provided to them. To identify contractors who\nrequire these onsite security visits, the ISR office submits an enterprise-wide data call request\nasking all IRS business organizations to identify their contractors that possess or have access to\nIRS taxpayer data at contractor facilities. Based on the data call results, the ISR office prepares\n\n\n2\n    See Appendix IV for a listing of the eight contractors we reviewed.\n                                                                                            Page 2\n\x0c                               Taxpayer Data Used at Contractor Facilities\n                           May Be at Risk for Unauthorized Access or Disclosure\n\n\n\nan inventory of contractors and schedules reviews based on a set of priorities, including filing\nseason readiness, risk exposure, and the specific type of tax data processed by the contractor.\nThis process was not effective at identifying all contractors who have been provided IRS\ntaxpayer data. During our audit fieldwork, we identified one contractor who was not on the\ncontractor inventory list used by the ISR office for tracking their inventory of contractors\nrequiring review but should have been included. In addition, the ISR office had identified a\ncontractor who received IRS data but was previously identified as not receiving IRS taxpayer\ndata by an IRS business organization. In Fiscal Year 2009, the ISR office subsequently reviewed\nboth of these contractors.\nThese two examples highlight the need for improvement in identifying contractors who receive\ntaxpayer data from the IRS. The contractors who were visited and reviewed by the ISR office in\nFiscal Years 2008 and 2009 were identified by IRS business organizations responding to the data\ncall. In Fiscal Year 2009, the ISR office also obtained a list of 1,396 procurement requests from\nan IRS procurement information system used to manage the IRS procurement process. All of\nthese procurement requests contained disclosure and privacy indicators, which informed the IRS\ncontracting office that the contractor would use IRS data at the contractor\xe2\x80\x99s facility. 3 However,\ndue to the workload involved, neither the ISR office nor the IRS Procurement organization\nreviewed these procurement requests to determine whether contractors were, in fact, provided\nIRS taxpayer data and, therefore, required an annual security review.\nWhile not all of these 1,396 procurement requests may include contractors who process, manage,\nor store IRS taxpayer data at contractor facilities, we believe the contract data contained in the\nprocurement information system may provide the most definitive, reliable, and complete source\nfor identifying such contractors. However, improvements are needed to the procurement\ninformation system in order for the system to readily determine which contractors meet the ISR\noffice criteria for requiring a contractor review. Without an effective process for identifying\nthese contractors, the IRS cannot ensure that all contractors who have been provided IRS\ntaxpayer data are being reviewed for computer security control weaknesses. As a result, the IRS\ncannot ensure that taxpayer data are protected at all contractor facilities.\n\nRecommendations\nRecommendation 1: The Chief, Agency-Wide Shared Services, and the Chief Technology\nOfficer should identify the information system that can serve as the primary source for\nidentifying contractors requiring ISR office security reviews and develop specific indicators\n\n\n3\n  The disclosure and privacy indicator field on the procurement information system corresponds to the question,\n\xe2\x80\x9cDoes your requirement involve Sensitive But Unclassified information where Information Technology services are\nperformed at the contractor\xe2\x80\x99s site or with the use of the contractor\xe2\x80\x99s electronic devices (e.g., laptops, blackberries,\ntext messaging cellular equipment, thumb drives, CDs, etc.)?\xe2\x80\x9d If answered yes, disclosure and privacy clauses are\nincluded in the contract.\n                                                                                                               Page 3\n\x0c                              Taxpayer Data Used at Contractor Facilities\n                          May Be at Risk for Unauthorized Access or Disclosure\n\n\n\nwithin the information system that effectively identify any contractor receiving and using IRS\ntaxpayer data at the contractor\xe2\x80\x99s facility.\n         Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n         Chief, Agency-Wide Shared Services, will modify the Personal Identity Verification\n         Background Investigation Process system to identify candidate contracts and contractors\n         who have access to sensitive information. The ISR office will use reports from this\n         system and related information to identify contractor facilities for review.\nRecommendation 2: The Director, Procurement, and the Director, Office of Privacy and\nInformation Protection, should ensure the appropriate indicator is captured on each existing\ncontract with a disclosure and privacy impact, validate whether the business organization\nprovided any IRS taxpayer data to these contractors, and provide the appropriate notification and\nguidance to the responsible IRS business organizations to execute annual security reviews of\nthese contractors when required.\n         Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n         Director, Procurement, and the Director, Physical Security and Emergency Preparedness,\n         will track the appropriate indicators and provide the ISR office with contract and\n         contractor information for use in selecting contractor sites for security reviews.\n\nThe Internal Revenue Service Did Not Ensure Computer Security\nWeaknesses Identified at Contractor Facilities Are Timely Corrected\nOffice of Management and Budget memorandum M-08-21, entitled \xe2\x80\x9cFiscal Year 2008 Reporting\nInstructions for the Federal Information Security Management Act and Agency Privacy\nManagement,\xe2\x80\x9d states that FISMA requirements follow agency information into any system\nwhich uses it or processes it on behalf of the agency. When the ultimate responsibility and\naccountability for control of the information continues to reside with the agency, FISMA\nrequirements apply. To the extent that contractors process, store, or house Federal Government\ninformation or operate information systems on behalf of the IRS at contractor facilities, the\ncontractor\xe2\x80\x99s security controls must be assessed against the same NIST criteria and standards as\nany Government agency. Further, the agency is responsible for ensuring the contractor corrects\nweaknesses discovered through self-assessments and independent assessments. Any weaknesses\nare to be reflected in the agency\xe2\x80\x99s Plan of Action and Milestones (POA&M). 4\nIRS policy requires business and system owners to ensure that all acquisitions of goods or\nservices provide for information security, personnel security, and physical security, which\nincludes the security of any IRS data at contractor facilities. Further, IRS policy requires the\n\n\n4\n A POA&M document, also referred to as a corrective action plan, is a tool that assists agencies in identifying,\nassessing, prioritizing, and monitoring the progress of corrective efforts for security weaknesses found in programs\nand systems.\n                                                                                                             Page 4\n\x0c                              Taxpayer Data Used at Contractor Facilities\n                          May Be at Risk for Unauthorized Access or Disclosure\n\n\n\nContracting Officer\xe2\x80\x99s Technical Representative to ensure that contractors comply with IRS\nsecurity policies and pursue appropriate action for noncompliance. As a means to determine\nwhether contractors are complying with IRS security policies, the ISR office is responsible for\nevaluating the security of IRS taxpayer data at contractor facilities.\nAfter the ISR office completes a contractor security review, the ISR office presents the results to\nthe Contracting Officer\xe2\x80\x99s Technical Representative in a Security Assessment Report, which\nincludes the details of the security weaknesses identified at the contractor\xe2\x80\x99s facilities. The ISR\noffice instructs the Contracting Officer\xe2\x80\x99s Technical Representative to coordinate with the\nDesignated Approving Authority or the Security Program Management Office to identify\ncorrective actions and planned implementation dates for resolving the weaknesses. The ISR\noffice further instructs the Security Program Management Office to provide oversight, in\ncoordination with the Contracting Officer\xe2\x80\x99s Technical Representative, to ensure remediation of\neach weakness identified, including developing and maintaining a corresponding item on the\nPOA&M.\nHowever, the IRS was not consistently developing the POA&Ms for security weaknesses\nidentified by the ISR office. In our judgmental sample of eight contractors visited by the ISR\noffice during Fiscal Year 2009, all eight contractors\xe2\x80\x99 facilities had security weaknesses identified\nby the ISR office. We requested copies of the POA&Ms for tracking these security weaknesses.\nThe IRS was unable to provide the POA&Ms developed as a result of the ISR office reviews for\nseven of the eight contractors. During the course of our audit, the POA&Ms were developed for\nfour of the seven contractors in our sample that were not provided when we requested them.\nWhen asked why the POA&Ms were not completed for the seven contractors, the IRS stated it\ndid not create and monitor ISR office findings in the POA&Ms for systems that it did not\nconsider as FISMA reportable systems 5 or did not believe the contractors were subject to FISMA\nrequirements. We disagree with this reasoning. However, while there might be confusion over\nwhat is or is not FISMA reportable, we believe the approach for tracking and monitoring security\nweaknesses should apply regardless of whether or not FISMA applies to the contractor since the\nweaknesses pertain to the protection of IRS taxpayer data. When security weaknesses are not\ntracked and monitored, the IRS has no assurance that an official within the IRS is taking\nresponsibility for monitoring the security weaknesses reported by the ISR office and ensuring\nsecurity weaknesses are timely addressed.\nTo illustrate the importance of monitoring security weaknesses at contractors\xe2\x80\x99 facilities, the ISR\noffice identified 6 repeat security weaknesses at contractor facilities during its Fiscal Year 2008\nreviews and 24 repeat security weaknesses during its Fiscal Year 2009 reviews that were not\ncorrected since the prior fiscal years\xe2\x80\x99 ISR office reviews. These security weaknesses included\n\n\n\n5\n Systems subject to FISMA contractor reviews include contractors with privileged access to IRS data and/or\ncontractors that manage a process or system at a contractor-owned or operated facility on behalf of the IRS.\n                                                                                                           Page 5\n\x0c                          Taxpayer Data Used at Contractor Facilities\n                      May Be at Risk for Unauthorized Access or Disclosure\n\n\n\naccess control, configuration management control, and system integrity control issues. For\nexample, the ISR office found that some contractors:\n    \xe2\x80\xa2   Had system security settings not set to the most restrictive mode.\n    \xe2\x80\xa2   Lacked policies on how to handle sensitive information.\n    \xe2\x80\xa2   Had systems that were less than 90 percent compliant with IRS security policies based\n        on automated scans of system settings.\nThe eight contracts that we reviewed generally required the contractors to adhere to IRS security\npolicies and procedures. Without adequate oversight to monitor and confirm that security\nweaknesses are corrected at contractor facilities, security weaknesses will persist and IRS data\nwill remain at risk for unauthorized access and disclosure.\n\nRecommendations\nRecommendation 3: The Associate Chief Information Officer, Cybersecurity, should\nvalidate correction of ISR office reported security weaknesses and recommend a process for\nreporting weaknesses that remain unmitigated to increase the accountability of the responsible\nparties for remediation of security weaknesses.\n        Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n        ISR office will establish a plan for requesting status updates on the POA&Ms from the\n        responsible parties, validate corrected security weaknesses, and inform the responsible\n        parties of uncorrected weaknesses quarterly.\nRecommendation 4: The Director, Procurement, and the Associate Chief Information\nOfficer, Cybersecurity, should work together to ensure contractor accountability that security\nweaknesses are addressed in a timely manner. Using validation results from Recommendation 3,\nthe Procurement organization, working with the Cybersecurity organization, will take\nappropriate action and employ all rights and remedies available to the Government if and when\ncontractors do not comply with IRS security policies.\n        Management\xe2\x80\x99s Response: IRS management agreed with this recommendation.\n        Based on validation results from the ISR office, the Director, Procurement, and the\n        Associate Chief Information Officer, Cybersecurity, will determine the appropriate action\n        and employ all rights and remedies available to the Government if and when contractors\n        do not comply with IRS security policies.\n\n\n\n\n                                                                                           Page 6\n\x0c                          Taxpayer Data Used at Contractor Facilities\n                      May Be at Risk for Unauthorized Access or Disclosure\n\n\n\n                                                                                    Appendix I\n\n        Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the IRS had effective controls in\nplace to ensure IRS taxpayer data are protected at contractor facilities. In order to accomplish\nour objective, we:\nI.     Determined whether IRS contractor reviews were adequate to validate contractor\n       compliance with IRS security policies.\n       A. Selected a judgmental sample of 8 contractors that process, manage, or store Federal\n          taxpayer information or operate information systems on behalf of the IRS at non-IRS\n          locations from an IRS list of 57 contractors that required an annual security review\n          during Fiscal Year 2009. This list was the result of the data call that the IRS makes to\n          its business organizations annually to identify contractors to schedule for a security\n          review. We selected a judgmental sample because we did not plan to project the\n          results.\n       B. Obtained and reviewed contracts for the selected contractors and determined whether\n          each was adequate to hold contractors accountable for implementing IRS security\n          policies.\n       C. Obtained and reviewed contractor review plans and results prepared by the IRS for\n          the selected contractors and evaluated them for adequacy.\n       D. Determined whether any weaknesses identified were being tracked in a POA&M and\n          whether progress was being made to correct the deficiencies.\nII.    Determined whether key information system controls were in place and operating\n       effectively to limit access to only authorized users at one contractor facility at a non-IRS\n       location. We reviewed the following types of controls:\n       A. Access.\n       B. Identification and Authentication.\n       C. Audit and Accountability.\n       D. Risk Assessment.\n       E. System and Information Integrity.\n\n\n\n\n                                                                                             Page 7\n\x0c                          Taxpayer Data Used at Contractor Facilities\n                      May Be at Risk for Unauthorized Access or Disclosure\n\n\n\nIII.   Evaluated the process for identifying contractors provided IRS taxpayer data for use at\n       offsite locations.\n       A. Reviewed the data call method used by the IRS to identify contractors requiring an\n          annual security review.\n       B. Reviewed procurement request data from an IRS procurement system and determined\n          whether the IRS procurement system could be used to automate identification of\n          contractors requiring an annual security review. To assess the reliability of the\n          procurement request data, we interviewed knowledgeable agency officials about the\n          data and reviewed relevant documentation. We determined that the data were\n          sufficiently reliable for the purposes of this report.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: the IRS\xe2\x80\x99 policies, procedures, and\npractices for ensuring IRS data are secured at offsite contractor locations. We evaluated these\ncontrols by reviewing contracts, security control testing results, and related documentation and\nconsulting with IRS and contractor personnel.\n\n\n\n\n                                                                                           Page 8\n\x0c                         Taxpayer Data Used at Contractor Facilities\n                     May Be at Risk for Unauthorized Access or Disclosure\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nKent Sagara, Director\nJody Kitazono, Audit Manager\nBret Hunter, Lead Auditor\nRichard Borst, Senior Auditor\nMichelle Griffin, Senior Auditor\n\n\n\n\n                                                                                      Page 9\n\x0c                         Taxpayer Data Used at Contractor Facilities\n                     May Be at Risk for Unauthorized Access or Disclosure\n\n\n\n                                                                    Appendix III\n\n                          Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDirector, Privacy, Information Protection, and Data Security OS:P\nAssociate Chief Information Officer, Cybersecurity OS:CTO:C\nDirector, Privacy and Information Protection OS:P:PIP\nDirector, Procurement OS:A:P\nDirector, Cybersecurity Program and Policies OS:CTO:C:PP\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Chief Technology Officer OS:CTO\n       Chief, Agency-Wide Shared Services OS:A\n\n\n\n\n                                                                          Page 10\n\x0c                             Taxpayer Data Used at Contractor Facilities\n                         May Be at Risk for Unauthorized Access or Disclosure\n\n\n\n                                                                                         Appendix IV\n\n           Listing of Contractors Selected for Review\n\nFrom an IRS list of contractors that required contractor reviews, we selected a judgmental\nsample of eight contractors who process, manage, or store Federal taxpayer information or\noperate information systems on behalf of the IRS at non-IRS locations. We reviewed the\ncontracts, the methods of security control testing, the Security Assessment Reports provided by\nthe IRS Infrastructure Security and Reviews team, and the processes to resolve weaknesses.\n\n         Contractor              Description of System                Location             Business\n                                                                                          Organization\n1   Northrop Grumman         Service Center Recognition Image     Reston, Virginia      Wage and Investment\n    Information Technology   Processing System\n2   Accenture/Affina/Qwest   Health Coverage Tax Credit           Iowa, Virginia, and   Wage and Investment\n                             Program                              Texas\n3   AT&T                     Enterprise Remote Access Project     Oakton, Virginia      Modernization and\n                                                                                        Information\n                                                                                        Technology Services\n\n4   Accenture                IRS.gov Public User Portal           Reston, Virginia      Modernization and\n                                                                                        Information\n                                                                                        Technology Services\n5   IBM/Quest                Registered User Portal               Sterling, Virginia,   Modernization and\n                                                                  and Chicago,          Information\n                                                                  Illinois              Technology Services\n\n\n6   Computer Sciences        Development, Integration, and        Lanham, Maryland      Modernization and\n    Corporation              Testing Environment                                        Information\n                                                                                        Technology Services\n7   CRA International        The contractor is supplied with      Chicago, Illinois     Small Business/\n                             Sensitive But Unclassified data in                         Self-Employed\n                             order to perform appraisal or\n                             actuarial work \xe2\x80\x93 valuation of\n                             minority stock interests.\n8   Pacific Consulting       Data and market research             Palo Alto,            Wage and Investment\n    Group                                                         California\n\n\n\n\n                                                                                                   Page 11\n\x0c           Taxpayer Data Used at Contractor Facilities\n       May Be at Risk for Unauthorized Access or Disclosure\n\n\n\n                                                    Appendix V\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                          Page 12\n\x0c    Taxpayer Data Used at Contractor Facilities\nMay Be at Risk for Unauthorized Access or Disclosure\n\n\n\n\n                                                   Page 13\n\x0c    Taxpayer Data Used at Contractor Facilities\nMay Be at Risk for Unauthorized Access or Disclosure\n\n\n\n\n                                                   Page 14\n\x0c    Taxpayer Data Used at Contractor Facilities\nMay Be at Risk for Unauthorized Access or Disclosure\n\n\n\n\n                                                   Page 15\n\x0c'